[Samba] samba4 and sssd and user mapping

Rowland Penny rowlandpenny at googlemail.com
Tue Jan 21 03:19:35 MST 2014


On 21/01/14 08:50, Denis Cardon wrote:
> Hi Rownland and Steve,
>
>>> on a server running samba4 with sssd for nsswitch mapping, I realized
>>> recently that on windows workstation in the "folder propery/security
>>> tab", users are mapped as "Unix user\userlogin" instead of
>>> "DOMAINNAME\userlogin".
>>>
>>> I guess this is due to the fact that sssd mapping with getent passwd
>>> gives me user name without domain name (eg. userlogin), and in the
>>> samba4 smb.conf I don't know how to specify to use default domain, so
>>> it probably maps users to DOMAINNAME\userlogin.
>>>
>>> Looking at sssd doc, I didn't find how to add domain name in
>>> sssd.conf, and in smb.conf, the only related command is "winbind use
>>> default domain", and I'd like to use sssd instead of winbind.
>>>
>>> So I'd like to ask if there is a "use default domain" command for
>>> smb.conf without winbind?
>>>
>>> Cheers,
>>>
>>> Denis
>>>
>>>
>> Hi, I do not think that this has anything to do with sssd, the problem
>> seems to occur only on a windows workstation where sssd is not used. Did
>> you create the unix users with samba-tool?
>>
>> If you did, then this could be where the problem lies, if you create a
>> user through ADUC and then add the Unix attributes, ADUC adds the
>> following attributes to the user:
>>
>> msSFU30NisDomain
>> msSFU30Name
>> uidNumber
>> gidNumber
>> loginShell
>> unixHomeDirectory
>> uid
>>
>> I think that it is the lack of at least the first on the list that is
>> giving you your problem.
>>
>> If you think about it, where is 'Unix user' coming from? I think it is
>> something windows uses if it cannot get the 'msSFU30NisDomain' but does
>> find 'uidNumber'
>>
>> Try adding the attributes to one of your users and see if it cures your
>> problem.
>
> Indeed this is not linked to sssd per se. I have looked at another 
> setup (samba3 + sssd, so not exactly the same stuff) where I set the 
> unix attribute throught ADUC and security tab displays properly. I'll 
> look at the msSFU30NisDomain in deeper detail by tomorow.
>
> Thanks for the input!
>
> Denis
>
>
>
>
>>
>> Rowland
>>
>
>
Hi, if adding the msSFU30 attributes cures your problem, I think that a 
bug needs to be raised. I personally think that 'samba-tool user create' 
should work just like creating a user through ADUC, but this would 
require a big rewrite and additions to  ypServ30.ldif.

Rowland


More information about the samba mailing list